School District in Maryland Stops Collection of Social Security Numbers

This comes nearly a year after the school system learned of a data breach that exposed the names, dates of birth and Social Security numbers of nearly 1,000 students who attended Frederick County Public Schools schools in 2005-2006.

by Allen Etzler, The Frederick News-Post, Md. / July 6, 2017

(TNS) — Frederick County Public Schools (FCPS) is no longer collecting Social Security numbers under the district's new data security policy.

Director of Technology Infrastructure Edward Gardner, who oversaw the development of the new data policy, said the school system would not collect student Social Security numbers "unless explicitly necessary," and he could not think of a reason it would be.

This comes nearly a year after the school system learned of a data breach that exposed the names, dates of birth and Social Security numbers of nearly 1,000 students who attended FCPS schools in 2005-2006.

"School systems should ask, 'do we need to share this information?'" data privacy expert Linnette Attai, who serves as president of Playwell LLC and project director for the Consortium of School Networking, said when reached by The Frederick News-Post for comment. "Do we need to share Social Security numbers? If not, then why are we sharing them?"

The school system will continue to work with several third-party vendors and share student information, but the information will be much more limited, Gardner said. For instance, many vendors will have access only to user names and passwords that students input to use specific apps.

Others might have access to "directory information" such as first and last names. English-language learners (ELL) could give out a bit more information in certain apps, but no financial information will be made available to vendors that work with ELL students, Gardner said.

Just 6 percent of families trust that government agencies can keep data secure, according to a 2015 Pew Research Center poll.

But parents will be notified via the student handbook which information is being made available to third parties. Parents will also have the opportunity to opt out of sharing the data, Gardner said.

Attai said the key for the school system is to build trust among parents is transparency. FCPS should be upfront with what data it shares and why it is being shared, Attai said.

"Knowledge takes out the fear and in turn allows for more well-informed questions," Attai said.

Gardner is helping the school system develop a "Written Information Security Program," which will centralize student information that is made available to third parties. FCPS also agreed to a contract with Janus Software Inc., which will perform quarterly tests of the district's data security.

"This is a starting point," Gardner said, adding that checks could become more frequent in the future.

As apps and technology continue to infiltrate classrooms, Attai noted that districts need to be aware of the vendors schools share information with. Some districts share information with as many as 500 third-party vendors, but can still keep information secure, she said.

"It all depends on how much they vet and what they are sharing," Attai said. "If they're sharing data like names and what they're doing in the app, that's not really valuable data to a hacker. It's useful for the company, but not something a hacker would be interested in."

Gardner said the school system has developed a committee to determine which apps should be used in the classroom. The school system is working with the committee on a more formal app approval process, but for now, teachers fill out forms to request to use those apps in class. Gardner said the committee holds security in the highest regard when determining which apps are used.

"If it doesn't meet our security standards, it will not get approved," Gardner said. "It doesn't matter how good of an app it is."

Gardner also noted that in contracts with vendors, the contract explicitly states that vendors may not sell or release any of the data that is collected.

Attai said school systems also need to be cognizant of how much data is required by the vendor.

"They should be sure they are only giving out the minimally required amount of data," she said. "Make sure that companies aren't receiving more data than they need. [School systems] shouldn't do that."

©2017 The Frederick News-Post (Frederick, Md.) Distributed by Tribune Content Agency, LLC.